Plan Internet Explorer feature control settings in the 2007 Office system

Updated: February 12, 2009

Applies To: Office Resource Kit

Topic Last Modified: 2009-05-11

Internet Explorer feature control settings enable you to mitigate threats that can occur when an application programmatically uses Internet Explorer functionality. It is important to mitigate Internet Explorer threats because any threats that exist for Internet Explorer also exist for any application that is hosting Internet Explorer.

You can configure 15 Internet Explorer feature control settings in the 2007 Office system. For more information about the Internet Explorer feature control settings, see Security policies and settings in the Office 2007 system. Each setting restricts a specific type of Internet Explorer behavior or functionality. To enable the restrictive behavior or functionality for a particular setting, you opt in applications. When an application is opted in to a particular Internet Explorer feature control setting, the more restrictive behaviors specified by the setting are enforced whenever the application hosts Internet Explorer. Conversely, when an application is opted out of a particular setting, the more restrictive behaviors specified by the setting are not enforced whenever the application hosts Internet Explorer.

To design Internet Explorer feature control settings, you must:

Identify applications that host Internet Explorer.

Determine which Internet Explorer feature control settings to implement.

Identify potential conflicts with previous versions of the Office system.

An application hosts Internet Explorer when any type of active content — such as ActiveX controls, add-ins, or Visual Basic for Applications (VBA) macros — programmatically uses Internet Explorer functionality. A common example occurs when a user opens a Microsoft Office Word 2007 document that contains an ActiveX control, and the ActiveX control programmatically invokes Internet Explorer to render HTML. In this case, Office Word 2007 is hosting Internet Explorer.

By default, Office Groove 2007, Office Outlook 2007, and Office SharePoint Designer 2007 are opted in to all 15 Internet Explorer feature control settings. Microsoft Office InfoPath 2007 is also opted in to these Internet Explorer feature control settings, as well as three Office InfoPath 2007 components: Document Information Panel, Workflow forms, and third-party hosting. These applications are opted in because they host Internet Explorer or there is a high likelihood that they will host Internet Explorer.

Use the following guidelines to help identify other applications that host Internet Explorer or could potentially host Internet Explorer.

We recommend that you opt in any applications that host Internet Explorer or any applications that can potentially host Internet Explorer. Be sure to record the application name and the corresponding executable file name in your security planning documents. You will need to know the executable file name to configure Internet Explorer feature control settings by using the Office Customization Tool (OCT) or Group Policy.

The following table lists the executable file names for the applications that you can opt in to the Internet Explorer feature control settings for the 2007 Office system.

Applications can be opted in to any or all of the 15 Internet Explorer feature control settings, which restrict a wide range of Internet Explorer functionality. In most cases, if an application hosts Internet Explorer or can potentially host Internet Explorer, the application should be opted in to all 15 Internet Explorer feature control settings. Opting in an application to all 15 settings helps ensure that the most restrictive Internet Explorer security model is implemented whenever the application hosts Internet Explorer.

Although we recommend that you opt in applications to all 15 Internet Explorer feature control settings, there are cases where you might need to opt out of specific settings. You might have to opt out of a setting if:

The restrictions of a particular setting prevent an application from behaving as expected. For example, if you know that an application uses Internet Explorer to download files without user intervention, you might have to opt out of the Restrict File Download setting.

The restrictions of a particular setting are not necessary because the specific threat that the setting mitigates poses little or no risk in your organization. For example, if users cannot access public networks such as the Internet, you might not need to opt in to the Block pop-ups setting.

The restrictions of a particular setting cause a decrease in performance. For example, the Saved from URL setting can cause a decrease in performance. If the loss in performance is great, you might have to opt out of that setting.

Be sure to record in your security planning documents the applications that you want to opt in to all 15 Internet Explorer feature control settings. Also be sure to record any Internet Explorer feature control settings that you need to opt out of.

Note:

Office InfoPath 2007 is a special case and cannot be opted in to or opted out of individual Internet Explorer feature control settings. You can only configure which Office InfoPath 2007 components are opted in to or opted out of the entire group of Internet Explorer feature control settings. Be sure to record in your security planning documents any Office InfoPath 2007 components that you want to opt out. We recommend that you leave the default settings as they are and opt in all Office InfoPath 2007 components. For more information about the Office InfoPath 2007 settings, see Security policies and settings in the 2007 Office system.

Although we recommend that you opt in any application that hosts Internet Explorer or can potentially host Internet Explorer, there are some instances where opting in an application can cause unexpected behavior in previous versions of the Office system. This unexpected behavior occurs because of the way Internet Explorer feature control settings are stored in the registry, and can occur only in side-by-side installations of the 2007 Office system and earlier Office releases.

When an application is opted in or opted out of a Internet Explorer feature control setting, the application's executable file name is stored in the registry and given a value of 1 (opted in) or 0 (opted out). For example, if you opt in Office Word 2007 to the Restrict ActiveX Install Internet Explorer feature control setting, a registry key entry named Winword.exe is added under the FEATURE_RESTRICT_ACTIVEXINSTALL registry key, and the Winword.exe entry is set to a value of 1.

Whenever Internet Explorer is invoked programmatically, it determines whether the Internet Explorer application is hosted in any processes, dynamic-link libraries (DLLs), or executable files. Internet Explorer also checks the registry to see which processes, DLLs, or executable files are opted in to or opted out of each Internet Explorer feature control setting. If Internet Explorer is hosted by a process, DLL, or executable file, and the registry settings indicate that the process, DLL, or executable file is opted in to an Internet Explorer feature control setting, Internet Explorer enables the more restrictive behavior of the Internet Explorer feature control setting. For example, if Internet Explorer is hosted by Winword.exe, and the Winword.exe entry under the FEATURE_RESTRICT_ACTIVEXINSTALL registry key has a value of 1, Internet Explorer adopts the more restrictive behavior that is specified by the Restrict ActiveX Install Internet Explorer feature control setting.

However, Winword.exe is the executable file name for Office Word 2007 and for Microsoft Office Word 2003. Therefore, if you have side-by-side installations of Office Word 2007 and Office Word 2003, and you opt in Office Word 2007 to the Internet Explorer feature control settings, Internet Explorer cannot determine whether you want to apply the Internet Explorer feature control settings to Office Word 2007 or to Office Word 2003. This problem occurs with applications that have used the same executable file name for successive versions of the Office system. The following table lists the executable file names that are the same in the 2007 Office system and earlier versions of the Office system.

Executable file name

Applications

Excel.exe

Office Excel 2007, Office Excel 2003

Msaccess.exe

Office Access 2007, Office Access 2003

Mspub.exe

Office Publisher 2007, Publisher 2003

Outlook.exe

Office Outlook 2007, Office Outlook 2003

Powerpnt.exe

Office PowerPoint 2007, Office PowerPoint 2003

Visio.exe

Office Visio 2007, Office Visio 2003

Winproj.exe

Office Project 2007, Office Project 2003

Winword.exe

Office Word 2007, Office Word 2003

To identify potential problems with side-by-side installations, we recommend that you test each Internet Explorer feature control setting with the earlier versions of applications that appear in the preceding table. The Internet Explorer feature control settings are supported only on the 2007 Office system. The Internet Explorer feature control settings are not supported in earlier Office releases and might cause applications in earlier Office releases to behave unpredictably.